Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Using Profiles to Provision Gateways

In This Section:

Provisioning Overview

Creating Provisioning Profiles

Configuring Settings for Provisioning

UTM-1 Edge Provisioning

Security Gateway Provisioning

Assigning Provisioning Profiles to Gateways

Provisioning Overview

SmartProvisioning lets you manage a large number of gateways. You can configure similar devices with the same settings and use Provisioning Profiles to manage multiple gateways with a single command.

After you have created a Provisioning Profile, you assign it to multiple gateways. When each gateway device fetches its Provisioning Profile, the device's configuration is updated with the settings in the profile.

Provisioning Profiles function in a manner similar to SmartLSM Security Profiles. The main differences between Provisioning Profiles and SmartLSM Security Profiles are described in the following table:

Provisioning Profiles and SmartLSM Security Profiles

Provisioning Profile

SmartLSM Security Profile

Provides

Central management of servers, network, etc. of Check Point gateways

Installation of Security Policy for SmartLSM Security Gateways

Requires

SmartProvisioning

SmartLSM license and setup

Required by

No gateway

SmartLSM Security Gateways

Managed by

SmartProvisioning

SmartDashboard

In addition, gateways that are provisioning-enabled have more management features, such as multiple automatic backups.

Creating Provisioning Profiles

You can create Provisioning Profiles in SmartProvisioning. Each Provisioning Profile can automate the steps required to manage configurations of gateways that have the same operating system, hardware, and Check Point software version.

Before you begin this procedure, make sure that your administrator username has Read/Write permissions for Provisioning Profiles (see Defining SmartProvisioning Administrators).

To create a Provisioning Profile:

  1. In the tree in the main window, click Profiles.

    Profiles is shown in the work space.

  2. From the Launch Menu, select File > New > Provisioning Profile.

    The New Provisioning Profile wizard opens.

  3. Enter a name for the profile.
  4. From the Select Type drop-down list, select the platform/operating system to be supported by this profile.

    Each Provisioning Profile can support only one operating system.

  5. Click Next.
  6. If you want to configure the settings of the Provisioning Profile now, select Edit Provisioning Profile properties after creation.
  7. Click Finish.

Configuring Settings for Provisioning

Each Provisioning Profile holds settings that are provisioned onto the gateways that reference this profile. This section describes the general properties of a Provisioning Profile and the configurations that are common to all devices.

Viewing General Properties of Provisioning Profiles

In the Profiles List, right-click a profile and select Edit Provisioning Profile.

Either the UTM-1 Edge Profile window or the Security Gateway Profile window opens, depending on the operating system for which the profile was created.

Note - The window for Security Gateway 80 does not have the Backup tab.

For both profile windows, the General view opens.

This is a Read-Only view of the Profile name and OS. You cannot change these profile properties after it is created.

The operating system of a Provisioning Profile determines which gateways can reference this profile.

Configuring Profile Settings

For each set of configurations that can be managed with a Provisioning Profile, you can decide which settings will have preference: local (not provisioned) or central (from SmartProvisioning individual management or from Provisioning Profile).

To determine profile settings:

  1. In the Profiles List, right-click a profile and select Edit Provisioning Profile.
  2. In the Profile window, click any category tab (other than General).
  3. Decide whether this Provisioning Profile will provide central management of the setting to gateways that reference the profile:
    • Manage settings locally on the device: Select this option if each gateway that references this profile should have its own settings, configured locally (not on SmartProvisioning), which cannot be overwritten by changes to the Provisioning Profile or to the SmartProvisioning gateway object. If you choose this option, the Gateway window will show: settings are defined to be managed locally on the device.
    • Manage settings centrally from this application: Select this option if each gateway that references this profile should get its configuration for this setting from the Provisioning Profile or from the SmartProvisioning gateway object.
  4. If you select to manage settings centrally, click Advanced.

    The Profile Settings window opens.

  5. Select an option for Overriding profile settings on device level is:
    • Allowed: You can override the profile settings with device-local settings, or with changes to these settings in the SmartProvisioning device window; or you can leave the profile settings as they are.
    • Denied: Each gateway takes the settings from the profile, with no option to override the profile settings.
    • Mandatory: Each gateway provides is managed without a Provisioning Profile.
  6. Click OK.

    The choice you make here determines the functionality of the Gateway window, for the type of device configuration for which you made this profile setting.

    For example, if you set Hosts configuration to Central and Allowed: the Hosts tab on the gateway will enable you to manage the Host List of a gateway by:

    • Provisioning gateways with the Host List of the Provisioning Profile
    • Defining a new Host List (in the Gateway window) that overrides the Provisioning Profile on this gateway
    • Defining the Host List locally on the device (even if it has an assigned Provisioning Profile)

    The table below maps the selections in the Profile Settings to the displayed options in the Gateway windows.

Local or Central Management of Provisioned Gateways

Profile managed

Profile Override

Gateway Window Display and options

Locally

Not relevant

Settings are defined to be managed locally on the device.
To change this, refer to Provisioning Profile profile_name.

(controls are unavailable)

Centrally

Override denied

Data must be taken from profile
(controls are Read-Only, configured by profile)

Centrally

Override allowed

Select override method:

  • Manage settings locally on the device: Local management; override provisioning configurations with local settings.
  • Use profile settings: Enforce profile settings on this gateway.
  • Use the following settings: Manage these settings on this gateway individually with the values given here.

Centrally

Override mandatory

Overriding profile settings is mandatory: configure settings here.

(Each gateway is configured separately)

  • Manage settings locally on the device: Manage these settings on this gateway locally.
  • Use the following settings: Manage these settings on this gateway individually with the values given here.

Warning - If the Use the following settings option is selected and no values are entered for a specific topic, the current settings on the device will be deleted.

UTM-1 Edge Provisioning

Some provisioning options are available only to UTM-1 Edge devices. Because UTM-1 Edge devices are embedded with Check Point products and configurations, some management options are handled differently than for non-Edge devices.

A Provisioning Profile can provision any or all of the network configurations. You can determine that one group of settings is provisioned and another set up locally; see Configuring Profile Settings.

Configuring Date and Time for Provisioning

You can synchronize all your UTM-1 Edge devices.

To configure the date and time in a Provisioning Profile:

  1. Open the UTM-1 Edge Profile window, and select the Date and Time tab.
  2. If you select central management, click Advanced to set central management options. See Configuring Settings for Provisioning for more information.
  3. If you select an option that uses the profile settings, decide how the gateway clock is synchronized:
    • If you want gateways of this profile to synchronize their date and time using a specific NTP server, select the Use Network Time Protocol (NTP) to synchronize the clock check box.
    • If you want gateways of this profile to synchronize their date and time using the Security Management Server/Domain Management Server, clear this check box and click OK. Gateways of this profile will be synchronized when they fetch their Provisioning Profile.
  4. If you select the Use Network Time Protocol (NTP) to synchronize the clock check box, provide the IP address or host name of the NTP server.

    If available, provide the IP address and name of a secondary NTP server.

  5. From the Time Zone drop-down list, select the time zone of the NTP server.

Configuring Routing for Provisioning

You can configure the Routing table of a UTM-1 Edge gateway through the Provisioning Profile. The first option is whether the gateways that reference this profile will have their routing configured by the profile, or locally.

To configure routing by provisioning:

  1. Open the UTM-1 Edge Profile window, and select the Routing tab.
  2. If you select central management, click Advanced to set central management options.
  3. If you selected an option that uses the profile settings, click Add.
  4. Provide the Source Settings, or leave Any Source selected:
    • Source IP: Source IP address (for example, this gateway's IP address; or the IP address of a source behind the gateway).
    • Source Mask: Net mask of the source network.
  5. Provide the Destination Settings, or leave Any Destination selected:
    • Destination IP Address: Destination IP address for this route (for example, the IP address of the CO gateway or the Security Management Server/Domain Management Server).
    • Destination Mask: Net mask of the destination network.
  6. Select the defining options:
    • Service: Select ANY or a specific service to be allowed along with route.
    • Next Hop IP or network: Select a pre-defined network or provide the IP address of the closest router or default gateway.
    • Metric: Specify the distance in hops to the destination.
  7. Click OK.
  8. Configure all the routes that you want in this table.

Configuring HotSpot for Provisioning

You can configure a HotSpot in a Provisioning Profile, to provision the same HotSpot on all gateways that reference the profile. If your gateway provides wireless connectivity, configuring a HotSpot provides improved remote internet access.

Note - Some HotSpots use RADIUS servers for Authentication, Authorization, and Accounting. If this is true of yours, be sure to configure the RADIUS in the Provisioning Profile; see Configuring RADIUS for Provisioning.

To configure a HotSpot for Provisioning:

  1. Open the UTM-1 Edge Profile window, and select the HotSpot tab.
  2. If you select central management, click Advanced to set the central management options. See Configuring Settings for Provisioning for more information.
  3. Provide a HotSpot Title.
  4. In the HotSpot Terms field, specify the terms for valid access or End-User License.

    This may include: time limits, number of users, warnings that only known clients will be allowed, and any other term that is relevant for your users and according to your organization's policy.

  5. Select the appropriate options:
    • HotSpot is password-protected: Select this option if users should provide the HotSpot password.
    • Allow a user to login from more than one computer at the same time: This option is available only if a password is required. If not, the gateway does not need to recognize multiple logins of the same user account.
    • Use HTTPS: Select this option to allow access only with secured HTTP.
    • After login, redirect to URL: Provide the URL of the Web page that users should see after successful login through the HotSpot.
  6. Click OK.

Configuring RADIUS for Provisioning

You can configure the RADIUS server (Remote Authentication Dial In User Service) that provides authentication, authorization, and accounting for your gateways. By configuring RADIUS in the Provisioning Profile, you can configure it once for all gateways that reference this profile. The RADIUS server or group must be already defined as a SmartDashboard object.

To configure RADIUS in a Provisioning Profile:

  1. Open the UTM-1 Edge Profile window, and select the RADIUS tab.
  2. If you select central management, click Advanced to set the central management options. See Configuring Settings for Provisioning for more information.

    The RADIUS Servers lists show all the servers that are define in SmartDashboard to be RADIUS servers.

  3. In the Primary RADIUS Server list, select the RADIUS server that you want to be the primary RADIUS server of the gateways that reference this Provisioning Profile.
  4. In the Secondary RADIUS Server list, select the RADIUS server that you want to be the secondary RADIUS server of the gateways.
  5. If you want to configure the RADIUS server permissions, click Advanced.
  6. From the Administrator Level drop-down list, select the permissions that an administrator on gateways that reference this Provisioning Profile will have on the RADIUS server:
    • Read Write
    • Read Only
    • Users Manager
    • No Access
  7. Select permissions that you want to allow to users on the network of gateways that reference this Provisioning Profile, with authentication from the RADIUS server:
    • VPN Remote Access: Allows access to the VPN from a remote station, authenticating through the RADIUS server.
    • Web Filtering Override: Allows authenticated users to see Web sites that would otherwise be blocked by the RADIUS server configurations.
    • HotSpot access: Allows users access to the RADIUS server, and thus to the protected environment, from wireless HotSpot connections.
    • Remote Desktop Access: Allows users to access desktops inside the protected environment from a remote station.

Security Gateway Provisioning

This section explains the provisioning configurations that are available to Security Gateways.

A Provisioning Profile can provision any or all of the network configurations. You can determine which settings are provisioned and which are set up locally.

For example, you can create a Provisioning Profile for a number of gateways that are in one branch office. They are on the same LAN, therefore you can provision their DNS servers with central management (configure once, set on all). However, this office has multiple domains, so you do not want the Provisioning Profile to determine their domain. You set the Domain settings to local management.

Configuring DNS for Provisioning

You can configure DNS servers on a Provisioning Profile, providing the configuration for all gateways that reference this profile.

To configure DNS servers on a Provisioning Profile:

  1. Open the Security Gateway Profile window, and select the DNS tab.
  2. If you select central management, click Advanced to set the central management options.
  3. Provide the IP address of the First, Second, and Third DNS servers of the network.

Configuring DNS for Provisioning - Security Gateway 80

This section explains how to configure the DNS server provisioning profile for Security Gateway 80. You can configure DNS servers on a Provisioning Profile, providing the configuration for all Security Gateway 80s that reference this profile.

To configure DNS servers on a Provisioning Profile:

  1. Open the Security Gateway Profile window, and select the DNS tab.
  2. Select Manage DNS settings centrally from this application.
  3. Click Advanced. The Profile Settings window is displayed.
  4. Select one of these override profile settings:
    • Allowed
    • Denied
    • Mandatory

    For more information about override profile settings, see Configuring Profile Settings.

  5. To manually configure the IP address for the DNS servers:
    1. Select Set DNS server configuration.
    2. Enter the IP addresses for the DNS servers.
  6. To automatically configure the IP address for the DNS server, select Use DNS configurations provided by the active Internet connection.
  7. To use the Security Gateway 80 appliance as your default DNS proxy, select Enable DNS Proxy - resolves local DNS requests.

Configuring Firmware for Provisioning - Security Gateway 80

This section explains how to configure firmware installation settings for the provisioning profile for Security Gateway 80. When you configure firmware settings on a Provisioning Profile, you give the configuration for all Security Gateway 80 appliances that reference this profile.

The Security Gateway version must match its SmartLSM profile's version as defined in SmartDashboard for correct policy behavior. In some instances, it may be necessary to define exceptions for the default SmartLSM security profile that will replace the security profiles you have now, after installation of the firmware image. For example, if you do not want all gateways to use the specified default SmartLSM profile after installation, you can customize different security profiles to replace known security profiles.

Let’s say you have a scenario with these details:

  • The default SmartLSM profile after installation is configured to use a SmartLSM profile called "NewLSM".
  • After firmware installation, you want the "NewLSM" profile to be installed on all Security Gateways except for gateways that currently use the "GroupA_LSM" profile.
  • You want to replace the "GroupA_LSM" profile with a profile called "GroupA_NewLSM".

In such a scenario, you add an exception that replaces the "GroupA_LSM" profile with the "GroupA_NewLSM" profile.

You can install the firmware with one of these options:

  • Immediately - Downloads and installs the firmware immediately after saving these settings in the next synchronization with a Security Gateway that references this profile.
  • According to time ranges - You can define download and installation time ranges for the firmware image. The download and installation time can be limited to a specified list of time ranges in the week. They will start at the nearest time range after firmware settings were applied. For example, if the firmware installation settings were applied on Sunday and there are two time ranges:
    • One range is set to Friday 00:00 to Saturday 00:00
    • One range is set to Wednesday 23:00 to Thursday 06:00

      The firmware will be installed between Wednesday 23:00 and Thursday 06:00.

      In the event that the Security Gateway did not succeed to download and/or install the firmware during the nearest time range, it will try again in the next time range.

To configure firmware installation settings on a Provisioning Profile:

  1. Open the Security Gateway Profile window, and select the Firmware tab.
  2. Select Manage firmware centrally from this application.
  3. Click Advanced. The Profile Settings window is displayed.
  4. Select one of these override profile settings:
    • Allowed
    • Denied
    • Mandatory

    For more information about override profile settings, see Configuring Profile Settings.

  5. In Firmware image, click Select to select a firmware image that has been uploaded through SmartUpdate.
  6. In Default SmartLSM Profile after installation, select the new SmartLSM profile of the Security Gateway (the Security Gateway version must match its SmartLSM profile's version as defined in SmartDashboard for correct policy behavior). The Security Gateway will replace its SmartLSM profile after successful firmware installation and only if the new firmware version is different from the version you have now.
  7. If necessary, click Exceptions to choose a new SmartLSM profile for Security Gateways with a specified SmartLSM profile.
    • Add/Edit - Click Add or Edit to open the Exceptions window to define/change an exception for a SmartLSM profile replacement. SmartLSM profiles will not be shown unless they are from a version higher than R71.
      • Current SmartLSM Profile - Select a SmartLSM profile from the list. A SmartLSM profile is shown only if the version is not R71 and not the selected firmware version. Make sure you have installed policy for the SmartLSM profile in SmartDashboard.
      • SmartLSM Profile after installation - Select a SmartLSM profile that will replace the SmartLSM profile after the firmware image installation. A SmartLSM profile is shown only if the version is the same as the selected firmware version. Make sure you have installed policy for the SmartLSM profile in SmartDashboard.
    • Remove - Click to remove a SmartLSM profile exception setting.
  8. Select one of the options to install the firmware:
    1. Immediately
    2. According to these time ranges - Select to use the Security Gateway time or local time.
      • Add/Edit - Click Add or Edit to open the Time Range window to define/change the weekdays and times for downloading and installing the firmware image. Select the days and times and click OK.
      • Remove - Select a range from the list and click Remove to delete a time range.
      • Download image immediately - Click this option to download the firmware image immediately but install the image during one of the set time ranges.
  9. Click Show profile settings - to see the settings of the Provisioning Profile that this gateway references.
  10. Click OK.

Configuring Hosts for Provisioning

You can configure hosts on a Provisioning Profile, providing the configuration for all gateways that reference this profile. This is especially useful for gateways on the same LAN or network, such as Security Gateways with HA.

To configure hosts on a Provisioning Profile:

  1. Open the Security Gateway Profile window, and select the Hosts tab.
  2. If you select central management, click Advanced to set the central management options.
  3. Click New.
  4. Provide the host name and the IP address, and click OK to return to the Hosts tab.
  5. Repeat for all relevant hosts.

    Every gateway that references this Provisioning Profile receives this Host list.

Configuring Domain Name for Provisioning

You can configure the domain on a Provisioning Profile, providing the configuration for all gateways that reference this profile. This is useful for gateways that share a domain; you only have to configure it once for all the gateways.

To configure the domain on a Provisioning Profile:

  1. Open the Security Gateway Profile window, and select the Domain Name tab.
  2. If you select central management, click Advanced to set the central management options.
  3. Provide the domain name.

Configuring Backup Schedule

You can set all gateways that reference this Provisioning Profile to be backed up on a schedule. When each gateway in turn fetches the Provisioning Profile, its backup is created.

For example, if you want to ensure that all gateways are backed up without causing downtime, you can create one Provisioning Profile that backs up primary gateways at midnight on the weekend and another Provisioning Profile that backs up secondary gateways at six in the morning on every fifth day of the month.

To configure backup settings of a Provisioning Profile:

  1. Open the Security Gateway Profile window, and select the Backup tab.
  2. If you select central management, click Advanced to set the central management options. See Configuring Settings for Provisioning for more information.
  3. Select Enable Backup.
  4. In the Start at field, select the hour (on European 24-hour units) and minute for the backup to start.
  5. Select the frequency at which the backup is to recur:
    • Select the Day of the month radio button and then select a date.
    • Select the weekdays radio button and then select each relevant day.
  6. If you want the log files to be included in the backup, select the Include Check point products log files in the backup checkbox.

    Such backups are generally much larger than without the logs, so be sure to clear this checkbox if you do not need the logs. Log files are not relevant for IP Appliances, so clear this checkbox for IPSO-Based gateways.

    You can configure the backups to be stored on a machine other than the SmartProvisioning console. This option is relevant only if all gateways that will reference this Provisioning Profile are on the same network, with access to the server that will get and store the backups.

  7. If you want the backups to be saved on another server, click Backup Target.

    The Backup Target window opens.

  8. Select the server type to hold the backups, or select Locally on Device, enabling each gateway of this profile to hold its own backup file.
  9. Provide the IP address or Hostname of the selected server.
  10. For SCP servers, provide the Username and Password.
  11. Click OK.

Assigning Provisioning Profiles to Gateways

After you create a Provisioning Profile, you can assign gateways to be automatically managed by this profile. Make sure that the actual gateway fits the operating system and software version of the Provisioning Profile.

To assign a Provisioning Profile to a gateway:

  1. In the tree in the main window, click Devices.

    The Devices work space appears in the work space.

  2. Double-click a gateway.

    The Gateway window opens, with the General settings displayed.

  3. Make sure the Enable Provisioning check box is selected.
  4. Select Provisioning Profile.
  5. From the drop-down menu, select the Provisioning Profile whose settings you want to use to configure this gateway; or click New and create a new Provisioning Profile.
 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print